Sunday, December 15, 2013

How we know the 60 Minutes NSA interview was crap

Regardless of where you stand on the Snowden/NSA debate, it's obvious tonight's "60 Minutes" was a travesty of journalism. In exchange for exclusive access to the NSA, CBS parroted dubious NSA statements as fact. We can see this in the way they described what they call the "BIOS plot", which the claim would have destroyed the economy of the United States had the NSA not saved us. The NSA spokesperson they quote, Debra Plunkett, is a liar.

There is probably some real event behind this, but it's hard to tell, because we don't have any details. The event has been distorted to serve the needs of propaganda. It's completely false in the message it is trying to convey. What comes out is gibberish, as any technical person can confirm.
The discussion of the plot is at timestamp 3:33 in the video here http://www.cbsnews.com/videos/the-snowden-affair/, but below, I include a little mini transcript:

(Narration) "One [attack] they did see coming was called the 'BIOS plot'. It could've been catastrophic for the United States. While the NSA would not name the country behind it, cybersecurity experts briefed on the operation told us it was China. Debra Plunkett directs cyber defense for the NSA, and for the first time discusses the agency's role in discovering the plot."

Plunkett: "One of our analysts actually saw that a nation-state had the intention to develop and to deliver, to actually use this capability to destroy computers."

Reporter: "To destroy computers?"

Plunkett: "To destroy computers. So the BIOS is a basic input/output system. It's like the foundational component firmware of a computer. You start your computer up; the BIOS kicks in, it activates hardware, it activates the operating system. It turns on the computer."

Shows something called a BIOS, but which is actually a Serial ATA controller BIOS, not the motherboard's BIOS. LOL.

(Narration) "This is the BIOS system which starts most computers. The attack would've been disguised as a request for a software update. If the user agreed, the virus would've infected the computer."

Reporter: "So, this basically would've gone into the system that starts up the computer, runs the systems, tells it what to do,..."

Plunkett: "That's right."

Reporter: "...and basically turned it into a cinderblock?"

Plunkett: "A brick."

Reporter: "And, after that, there wouldn't be much that you could do with that computer?"

Plunkett: "That's right. Think about the impact of that across the entire globe. It could literally take down the US economy."

Reporter: "I don't mean to be flip about this, but it has kind of a little Doctor Evil quality to it, that 'I'm going to develop a program to destroy every computer in the world'. It sounds almost unbelievable."

Plunkett: "Don't be fooled. There are absolutely nation-states who have the capability and the intentions to do just that."

Reporter: "Based on what you've learned here at the NSA, would it have worked?"

Plunkett: "We believe it would have, yes."

Reporter: "Is this anything that has been talked about publicly before?"

Plunkett: "No, not to this extent. This is the first time."

(Narrator) "The NSA, working with computer manufacturers, was able to close this vulnerability. But they say there are other attacks occurring daily."

Update: Why is is this gibberish/false?

There are no technical details. Yes, they talk about "BIOS", but it's redundant, unrelated to their primary claim. Any virus/malware can destroy the BIOS, making a computer unbootable, "bricking" it. There's no special detail here. All they are doing is repeating what Wikipedia says about BIOS, acting as techie talk layered onto the discussion to make it believable, much like how Star Trek episodes talk about warp cores and Jeffries Tubes.

Stripped of techie talk, this passage simply says "The NSA foiled a major plot, trust us." But of course, there is no reason we should trust them. It's like how the number of terrorist plots foiled by telephone eavesdropping started at 50 then was reduced to 12 then to 2 and then to 0, as the NSA was forced to justify their claims under oath instead of in front of news cameras. The NSA has proven itself an unreliable source for such information -- we can only trust them if they come out with more details -- under oath.

Moreover, they don't even say what they imply. It's all weasel-words. Nowhere in the above passage does a person from the NSA say "we foiled a major cyber terror plot". Instead, it's something you piece together by the name "BIOS plot", cataclysmic attacks on our economy (from the previous segment), and phrases like "would it have worked".

So, in the end, it's just like the existing testimony from Clapper and Alexander that is never precisely a lie, but likewise, intentionally deceptive.

Imagine a scenario where an analyst, reading public Chinese hacking forums, comes across a discussion proposing the idea of bribing Chinese manufacturers to add evil code to BIOSes. So, the NSA writes this up in a report, and sends it to all the major vendors, like Dell and HP, suggesting they always doublecheck the BIOSes to make sure they haven't been corrupted.

What's important about this scenario is that it describes no real plot or threat, no real vulnerability, yet it matches everything in the above text. The NSA stops nothing in this scenario, but gets to fling words at CBS to make it look like they did.

I mention this as a scenario because it happens a lot in the hacking world. White hats and black hats are always plotting, scheming, and conspiring. At least, that's what it looks like from the outside. On the inside, we are usually just goofing off. For example, a few months ago, on Twitter, I and some other guys were talking trash, arguing about whether the iPhone 5S touch sensor could be hacked. So, we started betting money. After three of us bet money, I decided to create a website to track the bets,http://istouchidhackedyet.com, believing it might reach 8 people. This website took off. We got deluged with people offering up money for this. The website got millions of hits. I was interviewed on television about this "project". Suddenly, I became one of the world's foremost authorities on crowdsourced bounties. People kept asking me about the plan behind the site, but there wasn't one. All the planning, plotting, and conspiring behind this site never existed -- it was all in other people's imaginations.

As I've blogged before, there are many stories whose scariness depends how you tell them. For example, the NSA/CIA pass around a story about how hackers broke into a power grid in a foreign country, then extorted money, threatening blackouts. As it turns out, the "hackers" in question consisted of guy who operated the console of the control system. They were insiders, with access to the switches, who barely knew anything about computers. They weren't hackers from the Internet. The threat could've been carried out before the grid was even computerized -- though of course, back then, they would've assumed "insider" rather than "elite hacker team" and caught the bastards.

In summary, we experts just aren't impressed. We know how viruses work, and see nothing special here. We know how stories get distorted. We know how paranoia makes minor things look scary. If there were something momentous here, they would say so. But instead, they used techno mumbo jumbo to confuse the typical 60 Minutes viewer into believing something that was never explicitly stated.

6 comments:

I am just finishing watching the same 60 Minutes segment -- and I concur.

CBS has really lost their credibility lately -- first the Laura Logan report on Bengazi using testimony from a guy who said he was there, but was later determined to be a fraud.

And now this. Worldwide BIOS virus? Wow.

I am my favorite Internet Security personality, and I am telling you -- this was a butcher piece on Edward Snowden, crafted to sway public opinion that everything the nice guys at the NSA are doing to protect us against the evil terrorists is just fine. Nothing to see here, Please move along.

As to hackers puffing up their prowess by couching their exploits in misleading terms it seems it has ever been thus. Bruce Sterling's book, 'The Hacker Crackdown' (first published in 1992 !?!) goes into amusing detail about this. And since Bruce is such a stand up guy, he made certain that he retained the electronic rights to the book (remember, this is 1992) so that he could make it freely available. So go look it up because it is still a rollicking read :)

Well its not news that its possible. Its that I had the players backwards or am fooled. I believe this core security page on persistent bios is useful. Toucan systems Broussard could pull it off via keyboard and arduino iirc

Can anyone explain why NSA+ seem to pre-occupied with External threats? Is it simply because they can perpetually hint at looming threats or successfully foiling an attack? PROBLEM: Once credibility is gone, it's difficult to believe them &/or that they are doing it for us. However, great way to justify one's budget.

Concerning Internal threats, is Microsoft ever going to patch the "Utilman.exe" security HOLE present in several versions of Windows. Yes, Hole; a hack requires some skill. Anyone of average intelligence could use "Utilman.exe" to leisurely access a computer in under 10 minutes. Curious, just google how to. JS